Date: 28 October 2007
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8277
Warezov/Straition trojan seeding seems to be on the rise. The infection process begins with the ubiquitous postcard email:
--begin sample--
Subject: Hi, you.ve just received a postcard.
From: joe nelson
Date: Sat, 27 Oct 2007 18:01:39 +0300
To: auscert@auscert.org.au
Hi, you.ve just received a postcard.
For:
auscert@auscert.org.au
From:
---
Text:
Let's go to a party!
Postcard:
Click on attachment to view a postcard.
----
Pre-holidays Postcards.
http://postcards.wired2000.net/
--end sample--
The attached Postcard.exe then will follow a pattern of infection similar to firstly requesting further malware:
http://erunjintunhdefungandesun.com/bee32.exe
Note that this domain is bot-hosted:
> host erunjintunhdefungandesun.com
erunjintunhdefungandesun.com has address 78.106.74.34
erunjintunhdefungandesun.com has address 79.178.10.10
erunjintunhdefungandesun.com has address 80.178.222.246
erunjintunhdefungandesun.com has address 81.25.55.109
erunjintunhdefungandesun.com has address 82.83.142.128
erunjintunhdefungandesun.com has address 84.155.97.86
erunjintunhdefungandesun.com has address 85.29.193.18
erunjintunhdefungandesun.com has address 85.64.19.227
erunjintunhdefungandesun.com has address 88.134.219.121
erunjintunhdefungandesun.com has address 89.0.207.159
erunjintunhdefungandesun.com has address 89.138.167.228
erunjintunhdefungandesun.com has address 89.176.97.16
erunjintunhdefungandesun.com has address 89.176.118.169
erunjintunhdefungandesun.com has address 89.178.185.141
erunjintunhdefungandesun.com has address 122.197.27.195
erunjintunhdefungandesun.com has address 69.181.102.226
erunjintunhdefungandesun.com has address 77.41.35.67
erunjintunhdefungandesun.com has address 78.106.45.201
erunjintunhdefungandesun.com has address 78.106.48.24
..
Two further requests are made to more bot-hosted domains:
http://vadesiwaderionas.com/chr/1197/e/t0000?lid=A590474043D714E78DDA
http://xaseruinjinherungandesun.com/uimm32.exe
And finally, another two requests are made to another two bot-hosted domains:
http://www1.xaseruinjinherungandesun.com/cgi-bin/ip.cgi
http://xaseruinjinherungandesun.com/fsdv32.exe
Other domains some of these addresses reverse to that could also be malicious are, for example:
Query string: 213.248.16.129
fenrunastrefnhiunjdsaf.com
andesuiyionjertunserpionkin.com
gfedsfhewukjhajwaserionkin.com
caserunhfnegunjinasderin.com
keruihandesuntynganfweuin.com
zasweuipolintunhaseun.com
seruijandeasterfun.com
desruihengunastrefujinkerun.com
erunjintunhdefungandesun.com
mzasewuierunhandesun.com
kadesuipontunhandesun.com
badesruijintunhdefunhasdes.com
abadesuiyunhfegunjidans.com
aserunhferuinjansedunkans.com
..
I would suggest looking for flows to these IPs but that would be quite difficult (and not very effective) given the IPs are rotated through the domains quite quickly. It would be a good idea to consider null-routing or otherwise blocking these domains as well as checking logs for requests to them.
Matthew
|
